Re: [unisog] Re: Re: Large Attack

["Walter G. Aiello" <Walter.Aiello () Duke edu>]

Greetings, Don:

I replied to David Staggs at Vanderbilt as follows:

 Yes, I agree that a well-protected and moderated site that
 listed problem networks would be an excellent idea. SANS
 has a list of the "Top 10 Most Wanted" that contains the 10
 worst offenders in the previous 5 day period.

 If a list such as that were combined into a list of sources
 and ISP's that are the least responsive, and if enough of us
 blocked the offenders, it might just hit their bottom line
 hard enough for them to start taking some responsibility.

What would be very useful would be a list of ISP's and the IP
addresses they control. That would enable us to completely
block those ISP's without having a "dribble effect" of blocking
a subnet, only to be attacked from another of their subnets,
and so on. For example, Jordan Wiens provided a list of network
blocks owned by France Telecom (wanadoo.fr's parent company),
which has been particulary unresponsive to complaints about the
hailstorm of portscanning coming from their network. Several
posters evidently indicated that they were at least considering
blocking all traffic from those IP ranges. I added a few
subnets to his list:

----------------
80.9.0.0/16            193.252.0.0/16 except for:
80.11.0.0/16                193.252.4.0/24               
80.12.0.0/19                192.252.16.0/24
80.12.32.0/20               192.252.17.0/24
80.12.48.0/23               192.252.18.0/24
80.12.128.0/20              193.252.64.0/19
80.12.144.0/22              193.252.96.0/21
80.12.148.0/23              193.252.112.0/20
80.13.0.0/16                193.252.150.0/23
80.14.0.0/16                193.252.150.0/23
193.248.0.0/16              193.252.152.0/21
193.249.0.0/17              193.252.160.0/22
193.249.160.0/19            193.252.224.0/19
193.249.224.0/19
193.250.0.0/16        193.253.0.0/16 except for:
193.251.0.0/18              193.253.0.0/20
193.251.64.0/19             193.253.64.0/18
193.251.176.0/20           
217.128.0.0/16

Something like a "Top 10" (perhaps Bottom Ten" would be more
appropriate) list of ISP's and their network blocks would be
extremely helpful to those of us who want to restrict access
by those ISP's.

Best regards and thank you.
Walter G. Aiello

-- 
Dr. Walter G. Aiello
Manager, Network and Information Services
Magnetic Resonance Research Section
Box 3808, Department of Radiology
Duke University Medical Center

Walter.Aiello () Duke edu
(919) 684 7519

Don Wolf wrote:
> In regards to your interest in seeing "a site to list 'dirty subnets' -
> those subnets from which we see
> repeated attacks", there is a great site in which to go.  DShield has been
> doing just that for some time.  Just thought I'd point it out for those who
> didn't know.  This link according to DShield "shows the top 10 offenders
> according to the DShield database".
>
> http://www.dshield.org/top10.html
>
> ___________________________________
>  Don J. Wolf - Security Consultant
>  SANS/GIAC, MCP, CCNA, ICSA
>  SecuredSite Intrusion Specialists
>  www.SecuredSite.org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com